Move 'snippet' queries to 'snippets' folders

cpp/ql/examples/snippets/addressof.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Address of reference variable
+ * @description Finds address-of expressions (`&`) that take the address
+ *              of a reference variable
+ * @tags addressof
+ *       reference
+ */
+
+import cpp
+
+from AddressOfExpr addr, VariableAccess access
+where
+  access = addr.getOperand() and
+  access.getTarget().getType() instanceof ReferenceType
+select addr

cpp/ql/examples/snippets/arrayaccess.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Array access
+ * @description Finds array access expressions with an index expression
+ *              consisting of a postfix increment (`++`) expression.
+ * @tags array
+ *       access
+ *       index
+ *       postfix
+ *       increment
+ */
+
+import cpp
+
+from ArrayExpr a
+where a.getArrayOffset() instanceof PostfixIncrExpr
+select a

cpp/ql/examples/snippets/castexpr.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Cast expressions
+ * @description Finds casts from a floating point type to an integer type
+ * @tags cast
+ *       integer
+ *       float
+ *       type
+ */
+
+import cpp
+
+from Cast c
+where c.getExpr().getType() instanceof FloatingPointType
+  and c.getType() instanceof IntegralType
+select c

cpp/ql/examples/snippets/catch_exception.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Catch exception
+ * @description Finds places where we catch exceptions of type `parse_error`
+ * @tags catch
+ *       try
+ *       exception
+ */
+ 
+import cpp
+
+from CatchBlock catch
+// `stripType` converts `const parse_error &` to `parse_error`.
+where catch.getParameter().getType().stripType().hasName("parse_error")
+select catch

cpp/ql/examples/snippets/constructor_call.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Call to constructor
+ * @description Finds places where we call `new MyClass(...)`
+ * @tags call
+ *       constructor
+ *       new
+ */
+ 
+import cpp
+
+from NewExpr new, Constructor c
+where
+  c = new.getInitializer().(ConstructorCall).getTarget() and
+  c.getName() = "MyClass"
+select new

cpp/ql/examples/snippets/derives_from_class.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Class derives from
+ * @description Finds classes that derive from `std::exception`
+ * @tags base
+ *       class
+ *       derive
+ *       inherit
+ *       override
+ *       subtype
+ *       supertype
+ */
+ 
+import cpp
+
+from Class type
+where
+  type.getABaseClass+().hasName("exception") and
+  type.getNamespace().getName() = "std"
+select type

cpp/ql/examples/snippets/emptyblock.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Empty blocks
+ * @description Finds empty block statements
+ * @tags empty
+ *       block
+ *       statement
+ */
+
+import cpp
+
+from Block blk
+where blk.getNumStmt() = 0
+select blk

cpp/ql/examples/snippets/emptythen.ql

@@ -0,0 +1,16 @@
+/**
+ * @name If statements with empty then branch
+ * @description Finds `if` statements where the `then` branch is
+ *              an empty block statement
+ * @tags if
+ *       then
+ *       empty
+ *       conditional
+ *       branch
+ */
+
+import cpp
+
+from IfStmt i
+where i.getThen().(Block).getNumStmt() = 0
+select i

cpp/ql/examples/snippets/eq_true.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Equality test on boolean
+ * @description Finds tests like `==true`, `!=true`
+ * @tags equal
+ *       comparison
+ *       test
+ *       boolean
+ */
+ 
+import cpp
+
+from EqualityOperation eq, Expr trueExpr
+where
+  trueExpr = eq.getAnOperand() and
+  trueExpr.getType() instanceof BoolType and
+  trueExpr.getValue().toInt() = 1
+select eq

cpp/ql/examples/snippets/field_access.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Access of field
+ * @description Finds reads of `aDate` (defined on class `Order`)
+ * @tags access
+ *       field
+ *       read
+ */
+ 
+import cpp
+
+from Field f, FieldAccess access
+where f.hasName("aDate")
+  and f.getDeclaringType().hasName("Order")
+  and f = access.getTarget()
+select access

cpp/ql/examples/snippets/function_call.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Call to function
+ * @description Finds calls to `std::map<...>::find()`
+ * @tags call
+ *       function
+ *       method
+ */
+ 
+import cpp
+
+from FunctionCall call, Function fcn
+where
+  call.getTarget() = fcn and
+  fcn.getDeclaringType().getSimpleName() = "map" and
+  fcn.getDeclaringType().getNamespace().getName() = "std" and
+  fcn.hasName("find")
+select call

cpp/ql/examples/snippets/integer_literal.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Integer literal
+ * @description Finds places where we use the integer literal `2`
+ * @tags integer
+ *       literal
+ */
+ 
+import cpp
+
+from Literal literal
+where
+  literal.getType() instanceof IntType and
+  literal.getValue().toInt() = 2
+select literal

cpp/ql/examples/snippets/mutualrecursion.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Mutual recursion
+ * @description Finds pairs of functions that call each other
+ * @tags function
+ *       method
+ *       recursion
+ */
+
+import cpp
+
+from Function m, Function n
+where
+  exists(FunctionCall c | c.getEnclosingFunction() = m and c.getTarget() = n) and
+  exists(FunctionCall c | c.getEnclosingFunction() = n and c.getTarget() = m) and
+  m != n
+select m, n

cpp/ql/examples/snippets/override_method.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Override of method
+ * @description Finds methods that override `std::exception::what()`
+ * @tags function
+ *       method
+ *       override
+ */
+
+import cpp
+
+from MemberFunction override, MemberFunction base
+where
+  base.getName() = "what" and
+  base.getDeclaringType().getName() = "exception" and
+  base.getDeclaringType().getNamespace().getName() = "std" and
+  override.overrides+(base)
+select override

cpp/ql/examples/snippets/returnstatement.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Return statements
+ * @description Finds return statements that return `0`
+ * @tags return
+ *       statement
+ *       literal
+ */
+
+import cpp
+
+from ReturnStmt r
+where r.getExpr().(Literal).getValue().toInt() = 0
+select r

cpp/ql/examples/snippets/singletonblock.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Singleton blocks
+ * @description Finds block statements containing a single statement
+ * @tags block
+ *       statement
+ */
+
+import cpp
+
+from Block b
+where b.getNumStmt() = 1
+select b

cpp/ql/examples/snippets/switchcase.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Switch statement case missing
+ * @description Finds switch statements with a missing enum constant case
+ *              and no default case
+ * @tags switch
+ *       case
+ *       enum
+ */
+
+import cpp
+
+from EnumSwitch es, EnumConstant ec
+where
+  ec = es.getAMissingCase() and
+  not es.hasDefaultCase()
+select es, ec

cpp/ql/examples/snippets/ternaryconditional.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Conditional expressions
+ * @description Finds conditional expressions of the form `... ? ... : ...`
+ *              where the types of the resulting expressions differ
+ * @tags conditional
+ *       ternary
+ *       type
+ */
+
+import cpp
+
+from ConditionalExpr e
+where e.getThen().getType() != e.getElse().getType()
+select e

cpp/ql/examples/snippets/throw_exception.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Throw exception of type
+ * @description Finds places where we throw `parse_error` or one of its sub-types
+ * @tags base
+ *       class
+ *       throw
+ *       exception
+ */
+ 
+import cpp
+
+from ThrowExpr throw
+where throw.getType().(Class).getABaseClass*().getName() = "parse_error"
+select throw

cpp/ql/examples/snippets/todocomment.ql

@@ -0,0 +1,13 @@
+/**
+ * @name TODO comments
+ * @description Finds comments containing the word "TODO"
+ * @tags comment
+ *       matches
+ *       TODO
+ */
+
+import cpp
+
+from Comment c
+where c.getContents().matches("%TODO%")
+select c

cpp/ql/examples/snippets/toomanyparams.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Functions with many parameters
+ * @description Finds functions or methods with more than 10 parameters
+ * @tags function
+ *       method
+ *       parameter
+ *       argument
+ */
+
+import cpp
+
+from Function fcn
+where fcn.getNumberOfParameters() > 10
+select fcn

cpp/ql/examples/snippets/unusedlocalvar.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Unused local variable
+ * @description Finds local variables that are not accessed
+ * @tags variable
+ *       local
+ *       access
+ */
+
+import cpp
+
+from LocalScopeVariable v
+where
+  not v instanceof Parameter and
+  not exists(v.getAnAccess())
+select v

cpp/ql/examples/snippets/unusedmethod.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Unused private method
+ * @description Finds private non-virtual methods that are not accessed
+ * @tags method
+ *       access
+ *       private
+ *       virtual
+ */
+
+import cpp
+
+from MemberFunction fcn
+where
+  fcn.isPrivate() and
+  not fcn.isVirtual() and
+  not exists(FunctionCall call | fcn = call.getTarget())
+select fcn.getDefinition()

cpp/ql/examples/snippets/unusedparam.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Unused parameter
+ * @description Finds parameters that are not accessed
+ * @tags parameter
+ *       access
+ */
+
+import cpp
+
+from Parameter p
+where p.isNamed() and not exists(p.getAnAccess())
+select p

cpp/ql/examples/snippets/voidreturntype.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Const method without return type
+ * @description Finds const methods whose return type is `void`
+ * @tags const
+ *       function
+ *       method
+ *       modifier
+ *       specifier
+ *       return
+ *       type
+ *       void
+ */
+
+import cpp
+
+from MemberFunction m
+where
+  m.hasSpecifier("const") and
+  m.getType() instanceof VoidType
+select m

cpp/ql/examples/snippets/volatilevariable.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Variable declared volatile
+ * @description Finds variables with a `volatile` modifier
+ * @tags variable
+ *       volatile
+ */
+
+import cpp
+
+from Variable f
+where f.isVolatile()
+select f