Merge branch 'main' into atorralba/promote-ognl-injection

2025-12-21 19:26:31 +01:00 · 2021-07-20 17:17:17 +02:00
parent 47fffb04a6 5a489a386a
commit b6904a7992
2457 changed files with 219307 additions and 31173 deletions
--- a/.github/workflows/csv-coverage-pr-artifacts.yml
+++ b/.github/workflows/csv-coverage-pr-artifacts.yml
@@ -0,0 +1,97 @@
+name: Check framework coverage changes
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/csv-coverage-pr-comment.yml'
+      - '*/ql/src/**/*.ql'
+      - '*/ql/src/**/*.qll'
+      - 'misc/scripts/library-coverage/*.py'
+      # input data files
+      - '*/documentation/library-coverage/cwe-sink.csv'
+      - '*/documentation/library-coverage/frameworks.csv'
+    branches:
+      - main
+      - 'rc/*'
+
+jobs:
+  generate:
+    name: Generate framework coverage artifacts
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql) - MERGE
+      uses: actions/checkout@v2
+      with:
+        path: merge
+    - name: Clone self (github/codeql) - BASE
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 2
+        path: base
+    - run: |
+        git checkout HEAD^1
+        git log -1 --format='%H'
+      working-directory: base
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Generate CSV files on merge commit of the PR
+      run: |
+        echo "Running generator on merge"
+        PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
+        mkdir out_merge
+        cp framework-coverage-*.csv out_merge/
+        cp framework-coverage-*.rst out_merge/
+    - name: Generate CSV files on base commit of the PR
+      run: |
+        echo "Running generator on base"
+        PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
+        mkdir out_base
+        cp framework-coverage-*.csv out_base/
+        cp framework-coverage-*.rst out_base/
+    - name: Generate diff of coverage reports
+      run: |
+        python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-framework-coverage-merge
+        path: |
+          out_merge/framework-coverage-*.csv
+          out_merge/framework-coverage-*.rst
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-framework-coverage-base
+        path: |
+          out_base/framework-coverage-*.csv
+          out_base/framework-coverage-*.rst
+    - name: Upload comparison results
+      uses: actions/upload-artifact@v2
+      with:
+        name: comparison
+        path: |
+          comparison.md
+    - name: Save PR number
+      run: |
+        mkdir -p pr
+        echo ${{ github.event.pull_request.number }} > pr/NR
+    - name: Upload PR number
+      uses: actions/upload-artifact@v2
+      with:
+        name: pr
+        path: pr/
--- a/.github/workflows/csv-coverage-pr-comment.yml
+++ b/.github/workflows/csv-coverage-pr-comment.yml
@@ -0,0 +1,34 @@
+name: Comment on PR with framework coverage changes
+
+on:
+  workflow_run:
+    workflows: ["Check framework coverage changes"]
+    types:
+      - completed
+
+jobs:
+  check:
+    name: Check framework coverage differences and comment
+    runs-on: ubuntu-latest
+    if: >
+      ${{ github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+
+    - name: Check coverage difference file and comment
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        python misc/scripts/library-coverage/comment-pr.py "$GITHUB_REPOSITORY" "$RUN_ID"
--- a/.github/workflows/csv-coverage-timeseries.yml
+++ b/.github/workflows/csv-coverage-timeseries.yml
@@ -0,0 +1,42 @@
+name: Build framework coverage timeseries reports
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+      with:
+        path: script
+    - name: Clone self (github/codeql) for analysis
+      uses: actions/checkout@v2
+      with:
+        path: codeqlModels
+        fetch-depth: 0
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Build modeled package list
+      run: |
+        CLI=$(realpath "codeql-cli/codeql")
+        echo $CLI
+        PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
+    - name: Upload timeseries CSV
+      uses: actions/upload-artifact@v2
+      with:
+        name: framework-coverage-timeseries
+        path: framework-coverage-timeseries-*.csv
+
--- a/.github/workflows/csv-coverage-update.yml
+++ b/.github/workflows/csv-coverage-update.yml
@@ -0,0 +1,44 @@
+name: Update framework coverage reports
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  update:
+    name: Update framework coverage report
+    if: github.event.repository.fork == false
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+      with:
+        path: ql
+        fetch-depth: 0
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+
+    - name: Generate coverage files
+      run: |
+        PATH="$PATH:codeql-cli/codeql" python ql/misc/scripts/library-coverage/generate-report.py ci ql ql
+
+    - name: Create pull request with changes
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        python ql/misc/scripts/library-coverage/create-pr.py ql "$GITHUB_REPOSITORY"
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -1,4 +1,4 @@
-name: Build/check CSV flow coverage report
+name: Build framework coverage reports

 on:
  workflow_dispatch:
@@ -6,22 +6,6 @@ on:
      qlModelShaOverride:
        description: 'github/codeql repo SHA used for looking up the CSV models'
        required: false
-  push:
-    branches:
-     - main
-     - 'rc/**'
-  pull_request:
-    paths:
-      - '.github/workflows/csv-coverage.yml'
-      - '*/ql/src/**/*.ql'
-      - '*/ql/src/**/*.qll'
-      - 'misc/scripts/library-coverage/*.py'
-      # input data files
-      - '*/documentation/library-coverage/cwe-sink.csv'
-      - '*/documentation/library-coverage/frameworks.csv'
-      # coverage report files
-      - '*/documentation/library-coverage/flow-model-coverage.csv'
-      - '*/documentation/library-coverage/flow-model-coverage.rst'

 jobs:
  build:
@@ -33,28 +17,20 @@ jobs:
      uses: actions/checkout@v2
      with:
        path: script
-    - name: Clone self (github/codeql) at a given SHA for analysis
-      if: github.event.inputs.qlModelShaOverride != ''
-      uses: actions/checkout@v2
-      with:
-        path: codeqlModels
-        ref: github.event.inputs.qlModelShaOverride
    - name: Clone self (github/codeql) for analysis
-      if: github.event.inputs.qlModelShaOverride == ''
      uses: actions/checkout@v2
      with:
        path: codeqlModels
+        ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
    - name: Set up Python 3.8
      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
-      uses: dsaltares/fetch-gh-release-asset@aa37ae5c44d3c9820bc12fe675e8670ecd93bd1c
-      with:
-        repo: "github/codeql-cli-binaries"
-        version: "latest"
-        file: "codeql-linux64.zip"
-        token: ${{ secrets.GITHUB_TOKEN }}
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
    - name: Unzip CodeQL CLI
      run: unzip -d codeql-cli codeql-linux64.zip
    - name: Build modeled package list
@@ -63,15 +39,11 @@ jobs:
    - name: Upload CSV package list
      uses: actions/upload-artifact@v2
      with:
-        name: csv-flow-model-coverage
-        path: flow-model-coverage-*.csv
+        name: framework-coverage-csv
+        path: framework-coverage-*.csv
    - name: Upload RST package list
      uses: actions/upload-artifact@v2
      with:
-        name: rst-flow-model-coverage
-        path: flow-model-coverage-*.rst
-    # - name: Check coverage files
-    #   if: github.event.pull_request
-    #   run: |
-    #     python script/misc/scripts/library-coverage/compare-files.py codeqlModels
+        name: framework-coverage-rst
+        path: framework-coverage-*.rst

--- a/6
+++ b/6
@@ -17,3 +17,9 @@
 /java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @github/codeql-java @github/codeql-go
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
+
+# CodeQL tools and associated docs
+/docs/codeql-cli/ @github/codeql-cli-reviewers
+/docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
+/docs/ql-language-reference/ @github/codeql-frontend-reviewers
+/docs/query-*-style-guide.md @github/codeql-analysis-reviewers
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -448,5 +448,17 @@
  "SensitiveDataHeuristics Python/JS": [
    "javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
    "python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll"
+  ],
+  "ReDoS Util Python/JS": [
+    "javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll",
+    "python/ql/src/semmle/python/security/performance/ReDoSUtil.qll"
+  ],
+  "ReDoS Exponential Python/JS": [
+    "javascript/ql/src/semmle/javascript/security/performance/ExponentialBackTracking.qll",
+    "python/ql/src/semmle/python/security/performance/ExponentialBackTracking.qll"
+  ],
+  "ReDoS Polynomial Python/JS": [
+    "javascript/ql/src/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
+    "python/ql/src/semmle/python/security/performance/SuperlinearBackTracking.qll"
  ]
 }
--- a/cpp/change-notes/2021-06-15-path-sensitive-stack-reachability.md
+++ b/cpp/change-notes/2021-06-15-path-sensitive-stack-reachability.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The `StackVariableReachability` library now ignores some paths that contain an infeasible combination
+  of conditionals. These improvements primarily affect the queries `cpp/uninitialized-local` and
+  `cpp/use-after-free`.
--- a/cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md
+++ b/cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.
--- a/cpp/change-notes/2021-06-24-dataflow-implicit-reads.md
+++ b/cpp/change-notes/2021-06-24-dataflow-implicit-reads.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.
--- a/cpp/change-notes/2021-06-24-uncontrolled-arithmetic.md
+++ b/cpp/change-notes/2021-06-24-uncontrolled-arithmetic.md
@@ -0,0 +1,2 @@
+lgtm
+* The 'Uncontrolled data in arithmetic expression' (cpp/uncontrolled-arithmetic) query now recognizes more sources of randomness.
--- a/cpp/change-notes/2021-06-30-wrong-type-format-argument.md
+++ b/cpp/change-notes/2021-06-30-wrong-type-format-argument.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Wrong type of arguments to formatting function' (cpp/wrong-type-format-argument) query is now more accepting of the string and character formatting differences between Microsoft and non-Microsoft platforms.  There are now fewer false positive results.
--- a/Errors/OffsetUseBeforeRangeCheck.ql
+++ b/Errors/OffsetUseBeforeRangeCheck.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/offset-use-before-range-check
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.2
 * @precision medium
 * @tags reliability
 *       security
--- a/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/descriptor-may-not-be-closed
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/DescriptorNeverClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorNeverClosed.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/descriptor-never-closed
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/FileMayNotBeClosed.ql
+++ b/cpp/ql/src/Critical/FileMayNotBeClosed.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/file-may-not-be-closed
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/FileNeverClosed.ql
+++ b/cpp/ql/src/Critical/FileNeverClosed.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/file-never-closed
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
+++ b/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/global-use-before-init
 * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 7.8
 * @tags reliability
 *       security
 *       external/cwe/cwe-457
--- a/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
+++ b/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/inconsistent-nullness-testing
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
 * @tags reliability
 *       security
 *       external/cwe/cwe-476
--- a/cpp/ql/src/Critical/InitialisationNotRun.ql
+++ b/cpp/ql/src/Critical/InitialisationNotRun.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/initialization-not-run
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
 * @tags reliability
 *       security
 *       external/cwe/cwe-456
--- a/cpp/ql/src/Critical/LateNegativeTest.ql
+++ b/cpp/ql/src/Critical/LateNegativeTest.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/late-negative-test
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @tags reliability
 *       security
 *       external/cwe/cwe-823
--- a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
+++ b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/memory-may-not-be-freed
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
 * @tags efficiency
 *       security
 *       external/cwe/cwe-401
--- a/cpp/ql/src/Critical/MemoryNeverFreed.ql
+++ b/cpp/ql/src/Critical/MemoryNeverFreed.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/memory-never-freed
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
 * @tags efficiency
 *       security
 *       external/cwe/cwe-401
--- a/cpp/ql/src/Critical/MissingNegativityTest.ql
+++ b/cpp/ql/src/Critical/MissingNegativityTest.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/missing-negativity-test
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @tags reliability
 *       security
 *       external/cwe/cwe-823
--- a/cpp/ql/src/Critical/MissingNullTest.ql
+++ b/cpp/ql/src/Critical/MissingNullTest.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/missing-null-test
 * @problem.severity recommendation
- * @security-severity 3.6
+ * @security-severity 7.5
 * @tags reliability
 *       security
 *       external/cwe/cwe-476
--- a/cpp/ql/src/Critical/NewFreeMismatch.ql
+++ b/cpp/ql/src/Critical/NewFreeMismatch.ql
@@ -3,7 +3,7 @@
 * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
 * @kind problem
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
 * @precision high
 * @id cpp/new-free-mismatch
 * @tags reliability
--- a/cpp/ql/src/Critical/OverflowCalculated.ql
+++ b/cpp/ql/src/Critical/OverflowCalculated.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/overflow-calculated
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
 * @tags reliability
 *       security
 *       external/cwe/cwe-131
--- a/cpp/ql/src/Critical/OverflowDestination.ql
+++ b/cpp/ql/src/Critical/OverflowDestination.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/overflow-destination
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @precision low
 * @tags reliability
 *       security
--- a/cpp/ql/src/Critical/OverflowStatic.ql
+++ b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -4,7 +4,7 @@
 *              may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @precision medium
 * @id cpp/static-buffer-overflow
 * @tags reliability
--- a/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
+++ b/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/return-stack-allocated-object
 * @problem.severity warning
- * @security-severity 2.9
+ * @security-severity 2.1
 * @tags reliability
 *       security
 *       external/cwe/cwe-562
--- a/cpp/ql/src/Critical/SizeCheck.ql
+++ b/cpp/ql/src/Critical/SizeCheck.ql
@@ -4,7 +4,7 @@
 *              an instance of the type of the pointer may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 8.1
 * @precision medium
 * @id cpp/allocation-too-small
 * @tags reliability
--- a/cpp/ql/src/Critical/SizeCheck2.ql
+++ b/cpp/ql/src/Critical/SizeCheck2.ql
@@ -4,7 +4,7 @@
 *              multiple instances of the type of the pointer may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 8.1
 * @precision medium
 * @id cpp/suspicious-allocation-size
 * @tags reliability
--- a/cpp/ql/src/Critical/UseAfterFree.ql
+++ b/cpp/ql/src/Critical/UseAfterFree.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/use-after-free
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.3
 * @tags reliability
 *       security
 *       external/cwe/cwe-416
--- a/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
+++ b/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
@@ -7,10 +7,6 @@

 import cpp

-class AnonymousCompilation extends Compilation {
-  override string toString() { result = "<compilation>" }
-}
-
 string describe(Compilation c) {
  if c.getArgument(1) = "--mimic"
  then result = "compiler invocation " + concat(int i | i > 1 | c.getArgument(i), " " order by i)
@@ -19,4 +15,4 @@ string describe(Compilation c) {

 from Compilation c
 where not c.normalTermination()
-select c, "Extraction aborted for " + describe(c), 2
+select "Extraction aborted for " + describe(c)
--- a/Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+++ b/Bugs/Arithmetic/BadAdditionOverflowCheck.ql
@@ -6,7 +6,7 @@
 *              to a larger type.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision very-high
 * @id cpp/bad-addition-overflow-check
 * @tags reliability
--- a/Bugs/Arithmetic/IntMultToLong.ql
+++ b/Bugs/Arithmetic/IntMultToLong.ql
@@ -4,7 +4,7 @@
 *              be a sign that the result can overflow the type converted from.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision high
 * @id cpp/integer-multiplication-cast-to-long
 * @tags reliability
--- a/Bugs/Arithmetic/SignedOverflowCheck.ql
+++ b/Bugs/Arithmetic/SignedOverflowCheck.ql
@@ -5,7 +5,7 @@
 *              unsigned integer values.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision high
 * @id cpp/signed-overflow-check
 * @tags correctness
--- a/Bugs/Conversion/CastArrayPointerArithmetic.ql
+++ b/Bugs/Conversion/CastArrayPointerArithmetic.ql
@@ -6,7 +6,7 @@
 *              use the width of the base type, leading to misaligned reads.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @precision high
 * @id cpp/upcast-array-pointer-arithmetic
 * @tags correctness
--- a/Bugs/Format/NonConstantFormat.ql
+++ b/Bugs/Format/NonConstantFormat.ql
@@ -6,7 +6,7 @@
 *              from an untrusted source, this can be used for exploits.
 * @kind problem
 * @problem.severity recommendation
- * @security-severity 6.9
+ * @security-severity 9.3
 * @precision high
 * @id cpp/non-constant-format
 * @tags maintainability
--- a/Bugs/Format/SnprintfOverflow.ql
+++ b/Bugs/Format/SnprintfOverflow.ql
@@ -3,7 +3,7 @@
 * @description Using the return value from snprintf without proper checks can cause overflow.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision high
 * @id cpp/overflowing-snprintf
 * @tags reliability
--- a/Bugs/Format/WrongNumberOfFormatArguments.ql
+++ b/Bugs/Format/WrongNumberOfFormatArguments.ql
@@ -4,7 +4,7 @@
 *              a source of security issues.
 * @kind problem
 * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
 * @precision high
 * @id cpp/wrong-number-format-arguments
 * @tags reliability
--- a/Bugs/Format/WrongTypeFormatArguments.ql
+++ b/Bugs/Format/WrongTypeFormatArguments.ql
@@ -4,7 +4,7 @@
 *              behavior.
 * @kind problem
 * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
 * @precision high
 * @id cpp/wrong-type-format-argument
 * @tags reliability
@@ -19,28 +19,32 @@ import cpp
 * Holds if the argument corresponding to the `pos` conversion specifier
 * of `ffc` is expected to have type `expected`.
 */
-pragma[noopt]
 private predicate formattingFunctionCallExpectedType(
  FormattingFunctionCall ffc, int pos, Type expected
 ) {
-  exists(FormattingFunction f, int i, FormatLiteral fl |
-    ffc instanceof FormattingFunctionCall and
-    ffc.getTarget() = f and
-    f.getFormatParameterIndex() = i and
-    ffc.getArgument(i) = fl and
-    fl.getConversionType(pos) = expected
-  )
+  ffc.getFormat().(FormatLiteral).getConversionType(pos) = expected
 }

 /**
 * Holds if the argument corresponding to the `pos` conversion specifier
- * of `ffc` is expected to have type `expected` and the corresponding
- * argument `arg` has type `actual`.
+ * of `ffc` could alternatively have type `expected`, for example on a different
+ * platform.
+ */
+private predicate formattingFunctionCallAlternateType(
+  FormattingFunctionCall ffc, int pos, Type expected
+) {
+  ffc.getFormat().(FormatLiteral).getConversionTypeAlternate(pos) = expected
+}
+
+/**
+ * Holds if the argument corresponding to the `pos` conversion specifier
+ * of `ffc` is `arg` and has type `actual`.
 */
 pragma[noopt]
-predicate formatArgType(FormattingFunctionCall ffc, int pos, Type expected, Expr arg, Type actual) {
+predicate formattingFunctionCallActualType(
+  FormattingFunctionCall ffc, int pos, Expr arg, Type actual
+) {
  exists(Expr argConverted |
-    formattingFunctionCallExpectedType(ffc, pos, expected) and
    ffc.getConversionArgument(pos) = arg and
    argConverted = arg.getFullyConverted() and
    actual = argConverted.getType()
@@ -72,7 +76,8 @@ class ExpectedType extends Type {
  ExpectedType() {
    exists(Type t |
      (
-        formatArgType(_, _, t, _, _) or
+        formattingFunctionCallExpectedType(_, _, t) or
+        formattingFunctionCallAlternateType(_, _, t) or
        formatOtherArgType(_, _, t, _, _)
      ) and
      this = t.getUnspecifiedType()
@@ -91,7 +96,11 @@ class ExpectedType extends Type {
 */
 predicate trivialConversion(ExpectedType expected, Type actual) {
  exists(Type exp, Type act |
-    formatArgType(_, _, exp, _, act) and
+    (
+      formattingFunctionCallExpectedType(_, _, exp) or
+      formattingFunctionCallAlternateType(_, _, exp)
+    ) and
+    formattingFunctionCallActualType(_, _, _, act) and
    expected = exp.getUnspecifiedType() and
    actual = act.getUnspecifiedType()
  ) and
@@ -146,9 +155,13 @@ int sizeof_IntType() { exists(IntType it | result = it.getSize()) }
 from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
 where
  (
-    formatArgType(ffc, n, expected, arg, actual) and
+    formattingFunctionCallExpectedType(ffc, n, expected) and
+    formattingFunctionCallActualType(ffc, n, arg, actual) and
    not exists(Type anyExpected |
-      formatArgType(ffc, n, anyExpected, arg, actual) and
+      (
+        formattingFunctionCallExpectedType(ffc, n, anyExpected) or
+        formattingFunctionCallAlternateType(ffc, n, anyExpected)
+      ) and
      trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
    )
    or
--- a/Typos/IncorrectNotOperatorUsage.ql
+++ b/Typos/IncorrectNotOperatorUsage.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/incorrect-not-operator-usage
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
 * @precision medium
 * @tags security
 *       external/cwe/cwe-480
--- a/Management/AllocaInLoop.ql
+++ b/Management/AllocaInLoop.ql
@@ -3,7 +3,7 @@
 * @description Using alloca in a loop can lead to a stack overflow
 * @kind problem
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
 * @precision high
 * @id cpp/alloca-in-loop
 * @tags reliability
--- a/Management/ImproperNullTermination.ql
+++ b/Management/ImproperNullTermination.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/improper-null-termination
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags security
 *       external/cwe/cwe-170
 *       external/cwe/cwe-665
--- a/Management/PointerOverflow.ql
+++ b/Management/PointerOverflow.ql
@@ -4,7 +4,7 @@
 *              on undefined behavior and may lead to memory corruption.
 * @kind problem
 * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 2.1
 * @precision high
 * @id cpp/pointer-overflow-check
 * @tags reliability
--- a/Management/StrncpyFlippedArgs.ql
+++ b/Management/StrncpyFlippedArgs.ql
@@ -4,7 +4,7 @@
 *              as the third argument may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @precision medium
 * @id cpp/bad-strncpy-size
 * @tags reliability
--- a/Management/SuspiciousCallToStrncat.ql
+++ b/Management/SuspiciousCallToStrncat.ql
@@ -3,7 +3,7 @@
 * @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @precision medium
 * @id cpp/unsafe-strncat
 * @tags reliability
--- a/Management/SuspiciousSizeof.ql
+++ b/Management/SuspiciousSizeof.ql
@@ -5,7 +5,7 @@
 *              the machine pointer size.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id cpp/suspicious-sizeof
 * @tags reliability
--- a/Management/UninitializedLocal.ql
+++ b/Management/UninitializedLocal.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/uninitialized-local
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision medium
 * @tags security
 *       external/cwe/cwe-665
--- a/Management/UnsafeUseOfStrcat.ql
+++ b/Management/UnsafeUseOfStrcat.ql
@@ -4,7 +4,7 @@
 *              may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision medium
 * @id cpp/unsafe-strcat
 * @tags reliability
--- a/Bugs/OO/SelfAssignmentCheck.ql
+++ b/Bugs/OO/SelfAssignmentCheck.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/self-assignment-check
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.0
 * @tags reliability
 *       security
 *       external/cwe/cwe-826
--- a/Bugs/OO/UnsafeUseOfThis.ql
+++ b/Bugs/OO/UnsafeUseOfThis.ql
@@ -6,7 +6,7 @@
 * @kind path-problem
 * @id cpp/unsafe-use-of-this
 * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 7.5
 * @precision very-high
 * @tags correctness
 *       language-features
--- a/Functions/TooFewArguments.ql
+++ b/Functions/TooFewArguments.ql
@@ -7,7 +7,7 @@
 *              undefined data.
 * @kind problem
 * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
 * @precision very-high
 * @id cpp/too-few-arguments
 * @tags correctness
--- a/cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql
+++ b/cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql
@@ -9,7 +9,6 @@
 * @tags reliability
 *       external/cwe/cwe-573
 *       external/cwe/cwe-252
- * @opaque-id SM02344
 * @microsoft.severity Important
 */

--- a/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/memset-may-be-deleted
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.8
 * @precision high
 * @tags security
 *       external/cwe/cwe-14
--- a/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
@@ -5,7 +5,7 @@
 * @kind path-problem
 * @precision low
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags security external/cwe/cwe-20
 */

--- a/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
@@ -5,7 +5,7 @@
 * @kind path-problem
 * @precision low
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags security external/cwe/cwe-20
 */

--- a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+++ b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -4,7 +4,7 @@
 *              attacker to access unexpected resources.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
 * @precision medium
 * @id cpp/path-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -5,7 +5,7 @@
 *              to command injection.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision low
 * @id cpp/command-line-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
 * @precision high
 * @id cpp/cgi-xss
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -5,7 +5,7 @@
 *              to SQL Injection.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
 * @precision high
 * @id cpp/sql-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -5,7 +5,7 @@
 *              commands.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 6.0
+ * @security-severity 8.2
 * @precision medium
 * @id cpp/uncontrolled-process-operation
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
+++ b/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/overflow-buffer
 * @problem.severity recommendation
- * @security-severity 10.0
+ * @security-severity 9.3
 * @tags security
 *       external/cwe/cwe-119
 *       external/cwe/cwe-121
--- a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
@@ -5,7 +5,7 @@
 *              overflow.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
 * @precision high
 * @id cpp/badly-bounded-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
@@ -4,7 +4,7 @@
 *              of data written may overflow.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
 * @precision medium
 * @id cpp/overrunning-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
@@ -5,7 +5,7 @@
 *              take extreme values.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
 * @precision medium
 * @id cpp/overrunning-write-with-float
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
@@ -4,7 +4,7 @@
 *              of data written may overflow.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
 * @precision medium
 * @id cpp/unbounded-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
@@ -5,7 +5,7 @@
 *              a specific value to terminate the argument list.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id cpp/unterminated-variadic-call
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/unclear-array-index-validation
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @tags security
 *       external/cwe/cwe-129
 */
--- a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+++ b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -5,7 +5,7 @@
 *              terminator can cause a buffer overrun.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision high
 * @id cpp/no-space-for-terminator
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -5,7 +5,7 @@
 *              or data representation problems.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 9.3
 * @precision high
 * @id cpp/tainted-format-string
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
@@ -5,7 +5,7 @@
 *              or data representation problems.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 9.3
 * @precision high
 * @id cpp/tainted-format-string-through-global
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -2,9 +2,9 @@
 * @name User-controlled data in arithmetic expression
 * @description Arithmetic operations on user-controlled data that is
 *              not validated can cause overflows.
- * @kind problem
+ * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
 * @precision low
 * @id cpp/tainted-arithmetic
 * @tags security
@@ -16,22 +16,39 @@ import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
+import Bounded

-from Expr origin, Operation op, Expr e, string effect
-where
-  isUserInput(origin, _) and
-  tainted(origin, e) and
-  op.getAnOperand() = e and
-  (
+bindingset[op]
+predicate missingGuard(Operation op, Expr e, string effect) {
  missingGuardAgainstUnderflow(op, e) and effect = "underflow"
  or
  missingGuardAgainstOverflow(op, e) and effect = "overflow"
  or
  not e instanceof VariableAccess and effect = "overflow"
-  ) and
-  (
+}
+
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element e) {
+    exists(Operation op |
+      missingGuard(op, e, _) and
+      op.getAnOperand() = e
+    |
      op instanceof UnaryArithmeticOperation or
      op instanceof BinaryArithmeticOperation
    )
-select e, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
-  origin, "User-provided value"
+  }
+
+  override predicate isBarrier(Expr e) {
+    super.isBarrier(e) or bounded(e) or e.getUnspecifiedType().(IntegralType).getSize() <= 1
+  }
+}
+
+from Expr origin, Expr e, string effect, PathNode sourceNode, PathNode sinkNode, Operation op
+where
+  taintedWithPath(origin, e, sourceNode, sinkNode) and
+  op.getAnOperand() = e and
+  missingGuard(op, e, effect)
+select e, sourceNode, sinkNode,
+  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
+  "User-provided value"
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -4,7 +4,7 @@
 *              validated can cause overflows.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
 * @precision medium
 * @id cpp/uncontrolled-arithmetic
 * @tags security
@@ -15,108 +15,63 @@
 import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.security.TaintTracking
-import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
-import TaintedWithPath
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import DataFlow::PathGraph
+import Bounded

-predicate isUnboundedRandCall(FunctionCall fc) {
-  exists(Function func | func = fc.getTarget() |
-    func.hasGlobalOrStdOrBslName("rand") and
-    not bounded(fc) and
-    func.getNumberOfParameters() = 0
-  )
+/**
+ * A function that outputs random data such as `std::rand`.
+ */
+abstract class RandomFunction extends Function {
+  /**
+   * Gets the `FunctionOutput` that describes how this function returns the random data.
+   */
+  FunctionOutput getFunctionOutput() { result.isReturnValue() }
 }

 /**
- * An operand `e` of a division expression (i.e., `e` is an operand of either a `DivExpr` or
- * a `AssignDivExpr`) is bounded when `e` is the left-hand side of the division.
+ * The standard function `std::rand`.
 */
-pragma[inline]
-predicate boundedDiv(Expr e, Expr left) { e = left }
-
-/**
- * An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
- * an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
- * when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
- * allowed by the result type of `rem`.
- */
-pragma[inline]
-predicate boundedRem(Expr e, Expr rem, Expr left, Expr right) {
-  e = left and
-  upperBound(right.getFullyConverted()) < exprMaxVal(rem.getFullyConverted())
-}
-
-/**
- * An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
- * or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
- * bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
- */
-pragma[inline]
-predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
-  operand1 != operand2 and
-  e = operand1 and
-  upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
-}
-
-/**
- * Holds if `fc` is a part of the left operand of a binary operation that greatly reduces the range
- * of possible values.
- */
-predicate bounded(Expr e) {
-  //  For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
-  //  maximum possible value of the result type of the operation.
-  //  For example, the function call `rand()` is considered bounded in the following program:
-  //  ```
-  //  int i = rand() % (UINT8_MAX + 1);
-  //  ```
-  //  but not in:
-  //  ```
-  //  unsigned char uc = rand() % (UINT8_MAX + 1);
-  //  ```
-  exists(RemExpr rem | boundedRem(e, rem, rem.getLeftOperand(), rem.getRightOperand()))
-  or
-  exists(AssignRemExpr rem | boundedRem(e, rem, rem.getLValue(), rem.getRValue()))
-  or
-  exists(BitwiseAndExpr andExpr |
-    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
-  )
-  or
-  exists(AssignAndExpr andExpr |
-    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
-  )
-  or
-  // Optimitically assume that a division always yields a much smaller value.
-  boundedDiv(e, any(DivExpr div).getLeftOperand())
-  or
-  boundedDiv(e, any(AssignDivExpr div).getLValue())
-  or
-  boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
-  or
-  boundedDiv(e, any(AssignRShiftExpr div).getLValue())
-}
-
-predicate isUnboundedRandCallOrParent(Expr e) {
-  isUnboundedRandCall(e)
-  or
-  isUnboundedRandCallOrParent(e.getAChild())
-}
-
-predicate isUnboundedRandValue(Expr e) {
-  isUnboundedRandCall(e)
-  or
-  exists(MacroInvocation mi |
-    e = mi.getExpr() and
-    isUnboundedRandCallOrParent(e)
-  )
-}
-
-class SecurityOptionsArith extends SecurityOptions {
-  override predicate isUserInput(Expr expr, string cause) {
-    isUnboundedRandValue(expr) and
-    cause = "rand"
+private class StdRand extends RandomFunction {
+  StdRand() {
+    this.hasGlobalOrStdOrBslName("rand") and
+    this.getNumberOfParameters() = 0
  }
 }

+/**
+ * The Unix function `rand_r`.
+ */
+private class RandR extends RandomFunction {
+  RandR() {
+    this.hasGlobalName("rand_r") and
+    this.getNumberOfParameters() = 1
+  }
+}
+
+/**
+ * The Unix function `random`.
+ */
+private class Random extends RandomFunction {
+  Random() {
+    this.hasGlobalName("random") and
+    this.getNumberOfParameters() = 1
+  }
+}
+
+/**
+ * The Windows `rand_s` function.
+ */
+private class RandS extends RandomFunction {
+  RandS() {
+    this.hasGlobalName("rand_s") and
+    this.getNumberOfParameters() = 1
+  }
+
+  override FunctionOutput getFunctionOutput() { result.isParameterDeref(0) }
+}
+
 predicate missingGuard(VariableAccess va, string effect) {
  exists(Operation op | op.getAnOperand() = va |
    missingGuardAgainstUnderflow(op, va) and effect = "underflow"
@@ -125,16 +80,47 @@ predicate missingGuard(VariableAccess va, string effect) {
  )
 }

-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element e) { missingGuard(e, _) }
+class UncontrolledArithConfiguration extends TaintTracking::Configuration {
+  UncontrolledArithConfiguration() { this = "UncontrolledArithConfiguration" }

-  override predicate isBarrier(Expr e) { super.isBarrier(e) or bounded(e) }
+  override predicate isSource(DataFlow::Node source) {
+    exists(RandomFunction rand, Call call | call.getTarget() = rand |
+      rand.getFunctionOutput().isReturnValue() and
+      source.asExpr() = call
+      or
+      exists(int n |
+        source.asDefiningArgument() = call.getArgument(n) and
+        rand.getFunctionOutput().isParameterDeref(n)
+      )
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) { missingGuard(sink.asExpr(), _) }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    bounded(node.asExpr())
+    or
+    // If this expression is part of bitwise 'and' or 'or' operation it's likely that the value is
+    // only used as a bit pattern.
+    node.asExpr() =
+      any(Operation op |
+        op instanceof BitwiseOrExpr or
+        op instanceof BitwiseAndExpr or
+        op instanceof ComplementExpr
+      ).getAnOperand*()
+  }
 }

-from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode
+/** Gets the expression that corresponds to `node`, if any. */
+Expr getExpr(DataFlow::Node node) { result = [node.asExpr(), node.asDefiningArgument()] }
+
+from
+  UncontrolledArithConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  VariableAccess va, string effect
 where
-  taintedWithPath(origin, va, sourceNode, sinkNode) and
+  config.hasFlowPath(source, sink) and
+  sink.getNode().asExpr() = va and
  missingGuard(va, effect)
-select va, sourceNode, sinkNode,
-  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
-  "Uncontrolled value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
+  getExpr(source.getNode()), "Uncontrolled value"
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/arithmetic-with-extreme-values
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
 * @precision low
 * @tags security
 *       reliability
--- a/cpp/ql/src/Security/CWE/CWE-190/Bounded.qll
+++ b/cpp/ql/src/Security/CWE/CWE-190/Bounded.qll
@@ -0,0 +1,55 @@
+/**
+ * This file provides the `bounded` predicate that is used in both `cpp/uncontrolled-arithmetic`
+ * and `cpp/tainted-arithmetic`.
+ */
+
+private import cpp
+private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
+
+/**
+ * An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
+ * or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
+ * bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
+ */
+pragma[inline]
+private predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
+  operand1 != operand2 and
+  e = operand1 and
+  upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
+}
+
+/**
+ * Holds if `e` is an arithmetic expression that cannot overflow, or if `e` is an operand of an
+ * operation that may greatly reduce the range of possible values.
+ */
+predicate bounded(Expr e) {
+  (
+    e instanceof UnaryArithmeticOperation or
+    e instanceof BinaryArithmeticOperation or
+    e instanceof AssignArithmeticOperation
+  ) and
+  not convertedExprMightOverflow(e)
+  or
+  // Optimitically assume that a remainder expression always yields a much smaller value.
+  e = any(RemExpr rem).getLeftOperand()
+  or
+  e = any(AssignRemExpr rem).getLValue()
+  or
+  exists(BitwiseAndExpr andExpr |
+    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
+  )
+  or
+  exists(AssignAndExpr andExpr |
+    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
+  )
+  or
+  // Optimitically assume that a division always yields a much smaller value.
+  e = any(DivExpr div).getLeftOperand()
+  or
+  e = any(AssignDivExpr div).getLValue()
+  or
+  e = any(RShiftExpr shift).getLeftOperand()
+  or
+  e = any(AssignRShiftExpr div).getLValue()
+}
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -5,7 +5,7 @@
 * @id cpp/comparison-with-wider-type
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision high
 * @tags reliability
 *       security
--- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/integer-overflow-tainted
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision low
 * @tags security
 *       external/cwe/cwe-190
--- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -4,7 +4,7 @@
 *              user can result in integer overflow.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision medium
 * @id cpp/uncontrolled-allocation-size
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/unsigned-difference-expression-compared-zero
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision medium
 * @tags security
 *       correctness
--- a/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/hresult-boolean-conversion
 * @problem.severity error
- * @security-severity 4.2
+ * @security-severity 7.5
 * @precision high
 * @tags security
 *       external/cwe/cwe-253
--- a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
+++ b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
@@ -5,7 +5,7 @@
 *              vulnerable to spoofing attacks.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.8
+ * @security-severity 8.1
 * @precision medium
 * @id cpp/user-controlled-bypass
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
@@ -4,7 +4,7 @@
 *              to an attacker.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.5
 * @precision medium
 * @id cpp/cleartext-storage-buffer
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -4,7 +4,7 @@
 *              to an attacker.
 * @kind problem
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
 * @precision medium
 * @id cpp/cleartext-storage-file
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+++ b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
@@ -4,7 +4,7 @@
 *              database can expose it to an attacker.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
 * @precision medium
 * @id cpp/cleartext-storage-database
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -4,8 +4,8 @@
 *              an attacker to compromise security.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.2
- * @precision medium
+ * @security-severity 7.5
+ * @precision high
 * @id cpp/weak-cryptographic-algorithm
 * @tags security
 *       external/cwe/cwe-327
@@ -70,9 +70,12 @@ EnumConstant getAdditionalEvidenceEnumConst() { isEncryptionAdditionalEvidence(r
 predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string description) {
  // find use of an insecure algorithm name
  (
-    fc.getTarget() = getAnInsecureEncryptionFunction() and
-    blame = fc and
+    exists(FunctionCall fc2 |
+      fc.getAChild*() = fc2 and
+      fc2.getTarget() = getAnInsecureEncryptionFunction() and
+      blame = fc2 and
      description = "call to " + fc.getTarget().getName()
+    )
    or
    exists(MacroInvocation mi |
      (
@@ -93,7 +96,10 @@ predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string d
  ) and
  // find additional evidence that this function is related to encryption.
  (
-    fc.getTarget() = getAnAdditionalEvidenceFunction()
+    exists(FunctionCall fc2 |
+      fc.getAChild*() = fc2 and
+      fc2.getTarget() = getAnAdditionalEvidenceFunction()
+    )
    or
    exists(MacroInvocation mi |
      (
@@ -107,6 +113,27 @@ predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string d
      ec = fc.getAnArgument() and
      ec.getTarget() = getAdditionalEvidenceEnumConst()
    )
+  ) and
+  // exclude calls from templates as this is rarely the right place to flag an
+  // issue
+  not fc.isFromTemplateInstantiation(_) and
+  (
+    // the function should have an input that looks like a non-constant buffer
+    exists(Expr e |
+      fc.getAnArgument() = e and
+      (
+        e.getUnspecifiedType() instanceof PointerType or
+        e.getUnspecifiedType() instanceof ReferenceType or
+        e.getUnspecifiedType() instanceof ArrayType
+      ) and
+      not e.getType().isDeeplyConstBelow() and
+      not e.isConstant()
+    )
+    or
+    // or be a non-const member function of an object
+    fc.getTarget() instanceof MemberFunction and
+    not fc.getTarget() instanceof ConstMemberFunction and
+    not fc.getTarget().isStatic()
  )
 }

--- a/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
@@ -4,7 +4,7 @@
 *              attackers to retrieve portions of memory.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
 * @precision very-high
 * @id cpp/openssl-heartbleed
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+++ b/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
@@ -5,7 +5,7 @@
 *              the two operations.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.7
 * @precision medium
 * @id cpp/toctou-race-condition
 * @tags security
@@ -16,10 +16,13 @@ import cpp
 import semmle.code.cpp.controlflow.Guards

 /**
- * An operation on a filename.
+ * An operation on a filename that is likely to modify the corresponding file
+ * and may return an indication of success.
 *
- * Note: we're not interested in operations on file descriptors, as they
- * are better behaved.
+ * Note: we're not interested in operations where the file is specified by a
+ * descriptor, rather than a filename, as they are better behaved. We are
+ * interested in functions that take a filename and return a file descriptor,
+ * however.
 */
 FunctionCall filenameOperation(Expr path) {
  exists(string name | name = result.getTarget().getName() |
@@ -48,7 +51,8 @@ FunctionCall filenameOperation(Expr path) {
 }

 /**
- * A use of `access` (or similar) on a filename.
+ * An operation on a filename that returns information in the return value but
+ * does not modify the corresponding file.  For example, `access`.
 */
 FunctionCall accessCheck(Expr path) {
  exists(string name | name = result.getTarget().getName() |
@@ -62,7 +66,9 @@ FunctionCall accessCheck(Expr path) {
 }

 /**
- * A use of `stat` (or similar) on a filename.
+ * An operation on a filename that returns information via a pointer argument
+ * and any return value, but does not modify the corresponding file.  For
+ * example, `stat`.
 */
 FunctionCall stat(Expr path, Expr buf) {
  exists(string name | name = result.getTarget().getName() |
@@ -77,7 +83,7 @@ FunctionCall stat(Expr path, Expr buf) {
 }

 /**
- * Holds if `use` points to `source`, either by being the same or by
+ * Holds if `use` refers to `source`, either by being the same or by
 * one step of variable indirection.
 */
 predicate referenceTo(Expr source, Expr use) {
@@ -88,36 +94,38 @@ predicate referenceTo(Expr source, Expr use) {
  )
 }

-from FunctionCall fc, Expr check, Expr checkUse, Expr opUse
+from Expr check, Expr checkPath, FunctionCall use, Expr usePath
 where
-  // checkUse looks like a check on a filename
+  // `check` looks like a check on a filename
  (
    // either:
    // an access check
-    check = accessCheck(checkUse)
+    check = accessCheck(checkPath)
    or
    // a stat
-    check = stat(checkUse, _)
+    check = stat(checkPath, _)
    or
    // another filename operation (null pointers can indicate errors)
-    check = filenameOperation(checkUse)
+    check = filenameOperation(checkPath)
    or
    // access to a member variable on the stat buf
    // (morally, this should be a use-use pair, but it seems unlikely
    // that this variable will get reused in practice)
-    exists(Variable buf | exists(stat(checkUse, buf.getAnAccess())) |
+    exists(Variable buf | exists(stat(checkPath, buf.getAnAccess())) |
      check.(VariableAccess).getQualifier() = buf.getAnAccess()
    )
  ) and
-  // checkUse and opUse refer to the same SSA variable
-  exists(SsaDefinition def, StackVariable v | def.getAUse(v) = checkUse and def.getAUse(v) = opUse) and
-  // opUse looks like an operation on a filename
-  fc = filenameOperation(opUse) and
-  // the return value of check is used (possibly with one step of
-  // variable indirection) in a guard which controls fc
+  // `checkPath` and `usePath` refer to the same SSA variable
+  exists(SsaDefinition def, StackVariable v |
+    def.getAUse(v) = checkPath and def.getAUse(v) = usePath
+  ) and
+  // `op` looks like an operation on a filename
+  use = filenameOperation(usePath) and
+  // the return value of `check` is used (possibly with one step of
+  // variable indirection) in a guard which controls `use`
  exists(GuardCondition guard | referenceTo(check, guard.getAChild*()) |
-    guard.controls(fc.(ControlFlowNode).getBasicBlock(), _)
+    guard.controls(use.(ControlFlowNode).getBasicBlock(), _)
  )
-select fc,
+select use,
  "The $@ being operated upon was previously $@, but the underlying file may have been changed since then.",
-  opUse, "filename", check, "checked"
+  usePath, "filename", check, "checked"
--- a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
@@ -4,7 +4,7 @@
 * @id cpp/unsafe-create-process-call
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision medium
 * @msrc.severity important
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
+++ b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
@@ -5,8 +5,7 @@
 *              state, and reading the variable may result in undefined behavior.
 * @kind problem
 * @problem.severity warning
- * @security-severity 6.9
- * @opaque-id SM02313
+ * @security-severity 7.8
 * @id cpp/conditionally-uninitialized-variable
 * @tags security
 *       external/cwe/cwe-457
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
@@ -4,7 +4,7 @@
 *              can cause buffer overflow conditions.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id cpp/suspicious-pointer-scaling
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/incorrect-pointer-scaling-char
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision low
 * @tags security
 *       external/cwe/cwe-468
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
@@ -4,7 +4,7 @@
 *              can cause buffer overflow conditions.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id cpp/suspicious-pointer-scaling-void
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -5,7 +5,7 @@
 *              implicitly scaled.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision high
 * @id cpp/suspicious-add-sizeof
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+++ b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -5,7 +5,7 @@
 *              attack plan.
 * @kind problem
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 6.5
 * @precision medium
 * @id cpp/system-data-exposure
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/incorrect-string-type-conversion
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision high
 * @tags security
 *       external/cwe/cwe-704
--- a/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
+++ b/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
@@ -3,7 +3,7 @@
 * @description Creating a file that is world-writable can allow an attacker to write to the file.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision medium
 * @id cpp/world-writable-file-creation
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+++ b/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
@@ -7,7 +7,7 @@
 * @id cpp/unsafe-dacl-security-descriptor
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision high
 * @tags security
 *       external/cwe/cwe-732
--- a/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
+++ b/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/lock-order-cycle
 * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 5.0
 * @tags security
 *       external/cwe/cwe-764
 *       external/cwe/cwe-833
--- a/Show More
+++ b/Show More