C++: Accept query test changes.

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected

@@ -33,11 +33,14 @@ edges
 | test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:83:9:83:11 | *arr [p] | provenance |  |
 | test.cpp:79:9:79:11 | *arr [p] | test.cpp:79:14:79:14 | p | provenance |  |
 | test.cpp:83:9:83:11 | *arr [p] | test.cpp:83:14:83:14 | p | provenance |  |
+| test.cpp:87:28:87:30 | *arr [p] | test.cpp:87:28:87:30 | *arr [p] | provenance |  |
 | test.cpp:87:28:87:30 | *arr [p] | test.cpp:89:9:89:11 | *arr [p] | provenance |  |
 | test.cpp:87:28:87:30 | *arr [p] | test.cpp:93:9:93:11 | *arr [p] | provenance |  |
 | test.cpp:89:9:89:11 | *arr [p] | test.cpp:89:14:89:14 | p | provenance |  |
 | test.cpp:93:9:93:11 | *arr [p] | test.cpp:93:14:93:14 | p | provenance |  |
 | test.cpp:98:18:98:27 | *call to mk_array_p [p] | test.cpp:87:28:87:30 | *arr [p] | provenance |  |
+| test.cpp:98:18:98:27 | *call to mk_array_p [p] | test.cpp:98:18:98:27 | test6_callee output argument [p] | provenance |  |
+| test.cpp:98:18:98:27 | test6_callee output argument [p] | test.cpp:98:18:98:27 | *call to mk_array_p [p] | provenance |  |
 nodes
 | test.cpp:4:17:4:22 | call to malloc | semmle.label | call to malloc |
 | test.cpp:6:9:6:11 | arr | semmle.label | arr |
@@ -77,12 +80,15 @@ nodes
 | test.cpp:83:9:83:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:83:14:83:14 | p | semmle.label | p |
 | test.cpp:87:28:87:30 | *arr [p] | semmle.label | *arr [p] |
+| test.cpp:87:28:87:30 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:89:9:89:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:89:14:89:14 | p | semmle.label | p |
 | test.cpp:93:9:93:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:93:14:93:14 | p | semmle.label | p |
 | test.cpp:98:18:98:27 | *call to mk_array_p [p] | semmle.label | *call to mk_array_p [p] |
+| test.cpp:98:18:98:27 | test6_callee output argument [p] | semmle.label | test6_callee output argument [p] |
 subpaths
+| test.cpp:98:18:98:27 | *call to mk_array_p [p] | test.cpp:87:28:87:30 | *arr [p] | test.cpp:87:28:87:30 | *arr [p] | test.cpp:98:18:98:27 | test6_callee output argument [p] |
 #select
 | test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size |
 | test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size |

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

@@ -46,6 +46,8 @@ edges
 | test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags | provenance |  |
 | test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument | provenance |  |
 | test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument | provenance |  |
+| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command | provenance |  |
+| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command | provenance |  |
 | test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument | provenance |  |
 | test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument | provenance |  |
 | test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | *filename | provenance |  |
@@ -57,9 +59,6 @@ edges
 | test.cpp:218:9:218:16 | fread output argument | test.cpp:220:19:220:26 | *filename | provenance |  |
 | test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance |  |
 | test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance |  |
-| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance |  |
-| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance |  |
-| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance |  |
 | test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance |  |
 | test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance |  |
 | test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument | provenance |  |
@@ -118,6 +117,8 @@ nodes
 | test.cpp:183:32:183:38 | *command | semmle.label | *command |
 | test.cpp:183:32:183:38 | *command | semmle.label | *command |
 | test.cpp:183:32:183:38 | *command | semmle.label | *command |
+| test.cpp:186:19:186:25 | *command | semmle.label | *command |
+| test.cpp:186:19:186:25 | *command | semmle.label | *command |
 | test.cpp:186:47:186:54 | *filename | semmle.label | *filename |
 | test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
 | test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
@@ -142,6 +143,8 @@ nodes
 | test.cpp:222:32:222:38 | *command | semmle.label | *command |
 | test.cpp:222:32:222:38 | *command | semmle.label | *command |
 subpaths
+| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command | test.cpp:196:10:196:16 | concat output argument |
+| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command | test.cpp:196:10:196:16 | concat output argument |
 | test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:188:11:188:17 | strncat output argument | test.cpp:196:10:196:16 | concat output argument |
 | test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:188:11:188:17 | strncat output argument | test.cpp:196:10:196:16 | concat output argument |
 #select

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected

@@ -47,6 +47,7 @@ edges
 | test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p | provenance |  |
 | test.cpp:228:27:228:54 | call to malloc | test.cpp:232:10:232:15 | buffer | provenance |  |
 | test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:26 | ... = ... | provenance |  |
+| test.cpp:236:5:236:9 | *p_str [post update] [string] | test.cpp:235:27:235:31 | *p_str [string] | provenance |  |
 | test.cpp:236:5:236:26 | ... = ... | test.cpp:236:5:236:9 | *p_str [post update] [string] | provenance |  |
 | test.cpp:241:20:241:38 | call to malloc | test.cpp:242:22:242:27 | buffer | provenance |  |
 | test.cpp:242:16:242:19 | set_string output argument [string] | test.cpp:243:12:243:14 | *str [string] | provenance |  |
@@ -110,6 +111,7 @@ nodes
 | test.cpp:222:15:222:20 | buffer | semmle.label | buffer |
 | test.cpp:228:27:228:54 | call to malloc | semmle.label | call to malloc |
 | test.cpp:232:10:232:15 | buffer | semmle.label | buffer |
+| test.cpp:235:27:235:31 | *p_str [string] | semmle.label | *p_str [string] |
 | test.cpp:235:40:235:45 | buffer | semmle.label | buffer |
 | test.cpp:236:5:236:9 | *p_str [post update] [string] | semmle.label | *p_str [post update] [string] |
 | test.cpp:236:5:236:26 | ... = ... | semmle.label | ... = ... |
@@ -126,6 +128,7 @@ nodes
 | test.cpp:264:13:264:30 | call to malloc | semmle.label | call to malloc |
 | test.cpp:266:12:266:12 | p | semmle.label | p |
 subpaths
+| test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:235:27:235:31 | *p_str [string] | test.cpp:242:16:242:19 | set_string output argument [string] |
 | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:9 | *p_str [post update] [string] | test.cpp:242:16:242:19 | set_string output argument [string] |
 #select
 | test.cpp:42:5:42:11 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:42:18:42:23 | string | This write may overflow $@ by 1 element. | test.cpp:42:18:42:23 | string | string |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected

@@ -3,11 +3,14 @@ edges
 | main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance |  |
 | overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 | provenance |  |
 | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src | provenance |  |
+| overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:50:52:50:54 | *src | provenance |  |
 | overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:53:15:53:17 | *src | provenance |  |
 | overflowdestination.cpp:57:52:57:54 | *src | overflowdestination.cpp:64:16:64:19 | *src2 | provenance |  |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | *src | provenance |  |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | *src | provenance |  |
 | overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:50:52:50:54 | *src | provenance |  |
+| overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | provenance |  |
+| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | overflowdestination.cpp:76:30:76:32 | *src | provenance |  |
 | overflowdestination.cpp:76:30:76:32 | *src | overflowdestination.cpp:57:52:57:54 | *src | provenance |  |
 nodes
 | main.cpp:6:27:6:30 | **argv | semmle.label | **argv |
@@ -17,13 +20,16 @@ nodes
 | overflowdestination.cpp:43:8:43:10 | fgets output argument | semmle.label | fgets output argument |
 | overflowdestination.cpp:46:15:46:17 | *src | semmle.label | *src |
 | overflowdestination.cpp:50:52:50:54 | *src | semmle.label | *src |
+| overflowdestination.cpp:50:52:50:54 | *src | semmle.label | *src |
 | overflowdestination.cpp:53:15:53:17 | *src | semmle.label | *src |
 | overflowdestination.cpp:57:52:57:54 | *src | semmle.label | *src |
 | overflowdestination.cpp:64:16:64:19 | *src2 | semmle.label | *src2 |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | semmle.label | fgets output argument |
 | overflowdestination.cpp:75:30:75:32 | *src | semmle.label | *src |
+| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | semmle.label | overflowdest_test2 output argument |
 | overflowdestination.cpp:76:30:76:32 | *src | semmle.label | *src |
 subpaths
+| overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
 #select
 | overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
 | overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected

@@ -1,6 +1,44 @@
 edges
+| main.cpp:6:27:6:30 | **argv | main.cpp:7:33:7:36 | **argv | provenance |  |
+| main.cpp:6:27:6:30 | **argv | main.cpp:8:34:8:37 | **argv | provenance |  |
+| main.cpp:6:27:6:30 | **argv | main.cpp:9:29:9:32 | **argv | provenance |  |
 | main.cpp:6:27:6:30 | **argv | main.cpp:10:20:10:23 | **argv | provenance |  |
+| main.cpp:7:33:7:36 | **argv | main.cpp:7:33:7:36 | overflowdesination_main output argument | provenance |  |
+| main.cpp:7:33:7:36 | **argv | main.cpp:7:33:7:36 | overflowdesination_main output argument | provenance |  |
+| main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance |  |
+| main.cpp:7:33:7:36 | overflowdesination_main output argument | main.cpp:8:34:8:37 | **argv | provenance |  |
+| main.cpp:7:33:7:36 | overflowdesination_main output argument | main.cpp:8:34:8:37 | *argv | provenance |  |
+| main.cpp:7:33:7:36 | overflowdesination_main output argument | main.cpp:9:29:9:32 | **argv | provenance |  |
+| main.cpp:7:33:7:36 | overflowdesination_main output argument | main.cpp:9:29:9:32 | *argv | provenance |  |
+| main.cpp:7:33:7:36 | overflowdesination_main output argument | main.cpp:10:20:10:23 | **argv | provenance |  |
+| main.cpp:7:33:7:36 | overflowdesination_main output argument | main.cpp:10:20:10:23 | *argv | provenance |  |
+| main.cpp:8:34:8:37 | **argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | provenance |  |
+| main.cpp:8:34:8:37 | **argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | provenance |  |
+| main.cpp:8:34:8:37 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | provenance |  |
+| main.cpp:8:34:8:37 | *argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | provenance |  |
+| main.cpp:8:34:8:37 | *argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | provenance |  |
+| main.cpp:8:34:8:37 | *argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | provenance |  |
+| main.cpp:8:34:8:37 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | provenance |  |
+| main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | main.cpp:9:29:9:32 | **argv | provenance |  |
+| main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | main.cpp:9:29:9:32 | *argv | provenance |  |
+| main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | main.cpp:10:20:10:23 | **argv | provenance |  |
+| main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | main.cpp:10:20:10:23 | *argv | provenance |  |
+| main.cpp:9:29:9:32 | **argv | main.cpp:9:29:9:32 | tests_restrict_main output argument | provenance |  |
+| main.cpp:9:29:9:32 | **argv | tests_restrict.c:15:41:15:44 | **argv | provenance |  |
+| main.cpp:9:29:9:32 | *argv | main.cpp:9:29:9:32 | tests_restrict_main output argument | provenance |  |
+| main.cpp:9:29:9:32 | *argv | main.cpp:9:29:9:32 | tests_restrict_main output argument | provenance |  |
+| main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | **argv | provenance |  |
+| main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance |  |
+| main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | **argv | provenance |  |
+| main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | *argv | provenance |  |
 | main.cpp:10:20:10:23 | **argv | tests.cpp:657:32:657:35 | **argv | provenance |  |
+| main.cpp:10:20:10:23 | *argv | tests.cpp:657:32:657:35 | **argv | provenance |  |
+| main.cpp:10:20:10:23 | *argv | tests.cpp:657:32:657:35 | *argv | provenance |  |
+| overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance |  |
+| overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | *argv | provenance |  |
+| test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | provenance |  |
+| test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | provenance |  |
+| test_buffer_overrun.cpp:32:46:32:49 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | provenance |  |
 | tests.cpp:613:19:613:24 | *source | tests.cpp:615:17:615:22 | *source | provenance |  |
 | tests.cpp:622:19:622:24 | *source | tests.cpp:625:2:625:16 | *... = ... | provenance |  |
 | tests.cpp:625:2:625:2 | *s [post update] [*home] | tests.cpp:628:14:628:14 | *s [*home] | provenance |  |
@@ -10,11 +48,35 @@ edges
 | tests.cpp:628:16:628:19 | *home | tests.cpp:628:14:628:19 | *home | provenance |  |
 | tests.cpp:657:32:657:35 | **argv | tests.cpp:682:9:682:15 | *access to array | provenance |  |
 | tests.cpp:657:32:657:35 | **argv | tests.cpp:683:9:683:15 | *access to array | provenance |  |
+| tests.cpp:657:32:657:35 | *argv | tests.cpp:682:9:682:15 | *access to array | provenance |  |
+| tests.cpp:657:32:657:35 | *argv | tests.cpp:683:9:683:15 | *access to array | provenance |  |
 | tests.cpp:682:9:682:15 | *access to array | tests.cpp:613:19:613:24 | *source | provenance |  |
 | tests.cpp:683:9:683:15 | *access to array | tests.cpp:622:19:622:24 | *source | provenance |  |
+| tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | provenance |  |
+| tests_restrict.c:15:41:15:44 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance |  |
 nodes
 | main.cpp:6:27:6:30 | **argv | semmle.label | **argv |
+| main.cpp:7:33:7:36 | **argv | semmle.label | **argv |
+| main.cpp:7:33:7:36 | overflowdesination_main output argument | semmle.label | overflowdesination_main output argument |
+| main.cpp:7:33:7:36 | overflowdesination_main output argument | semmle.label | overflowdesination_main output argument |
+| main.cpp:8:34:8:37 | **argv | semmle.label | **argv |
+| main.cpp:8:34:8:37 | *argv | semmle.label | *argv |
+| main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | semmle.label | test_buffer_overrun_main output argument |
+| main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | semmle.label | test_buffer_overrun_main output argument |
+| main.cpp:9:29:9:32 | **argv | semmle.label | **argv |
+| main.cpp:9:29:9:32 | *argv | semmle.label | *argv |
+| main.cpp:9:29:9:32 | tests_restrict_main output argument | semmle.label | tests_restrict_main output argument |
+| main.cpp:9:29:9:32 | tests_restrict_main output argument | semmle.label | tests_restrict_main output argument |
 | main.cpp:10:20:10:23 | **argv | semmle.label | **argv |
+| main.cpp:10:20:10:23 | *argv | semmle.label | *argv |
+| overflowdestination.cpp:23:45:23:48 | **argv | semmle.label | **argv |
+| overflowdestination.cpp:23:45:23:48 | **argv | semmle.label | **argv |
+| overflowdestination.cpp:23:45:23:48 | *argv | semmle.label | *argv |
+| test_buffer_overrun.cpp:32:46:32:49 | **argv | semmle.label | **argv |
+| test_buffer_overrun.cpp:32:46:32:49 | **argv | semmle.label | **argv |
+| test_buffer_overrun.cpp:32:46:32:49 | *argv | semmle.label | *argv |
+| test_buffer_overrun.cpp:32:46:32:49 | *argv | semmle.label | *argv |
+| test_buffer_overrun.cpp:32:46:32:49 | *argv | semmle.label | *argv |
 | tests.cpp:613:19:613:24 | *source | semmle.label | *source |
 | tests.cpp:615:17:615:22 | *source | semmle.label | *source |
 | tests.cpp:622:19:622:24 | *source | semmle.label | *source |
@@ -24,9 +86,24 @@ nodes
 | tests.cpp:628:14:628:19 | *home | semmle.label | *home |
 | tests.cpp:628:16:628:19 | *home | semmle.label | *home |
 | tests.cpp:657:32:657:35 | **argv | semmle.label | **argv |
+| tests.cpp:657:32:657:35 | *argv | semmle.label | *argv |
 | tests.cpp:682:9:682:15 | *access to array | semmle.label | *access to array |
 | tests.cpp:683:9:683:15 | *access to array | semmle.label | *access to array |
+| tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
+| tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
+| tests_restrict.c:15:41:15:44 | *argv | semmle.label | *argv |
+| tests_restrict.c:15:41:15:44 | *argv | semmle.label | *argv |
 subpaths
+| main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | main.cpp:7:33:7:36 | overflowdesination_main output argument |
+| main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | *argv | main.cpp:7:33:7:36 | overflowdesination_main output argument |
+| main.cpp:8:34:8:37 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument |
+| main.cpp:8:34:8:37 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument |
+| main.cpp:8:34:8:37 | *argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument |
+| main.cpp:8:34:8:37 | *argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument |
+| main.cpp:8:34:8:37 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument |
+| main.cpp:9:29:9:32 | **argv | tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | main.cpp:9:29:9:32 | tests_restrict_main output argument |
+| main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | main.cpp:9:29:9:32 | tests_restrict_main output argument |
+| main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | *argv | tests_restrict.c:15:41:15:44 | *argv | main.cpp:9:29:9:32 | tests_restrict_main output argument |
 #select
 | tests.cpp:615:2:615:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:615:17:615:22 | *source | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument |
 | tests.cpp:628:2:628:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:628:14:628:19 | *home | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected

@@ -1,20 +1,28 @@
 edges
+| argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | provenance |  |
+| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:101:9:101:10 | *i1 | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:102:15:102:16 | *i1 | provenance |  |
+| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:102:15:102:16 | *i1 | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:106:9:106:13 | *access to array | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:107:15:107:19 | *access to array | provenance |  |
+| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:107:15:107:19 | *access to array | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:110:9:110:11 | ** ... | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:111:15:111:17 | ** ... | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | provenance |  |
+| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:121:9:121:10 | *i4 | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:122:15:122:16 | *i4 | provenance |  |
+| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:122:15:122:16 | *i4 | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:127:9:127:10 | *i5 | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:128:15:128:16 | *i5 | provenance |  |
+| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:128:15:128:16 | *i5 | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:131:9:131:14 | *... + ... | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:132:15:132:20 | *... + ... | provenance |  |
+| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:132:15:132:20 | *... + ... | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:135:9:135:12 | *... ++ | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:136:15:136:18 | *-- ... | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:139:9:139:26 | *... ? ... : ... | provenance |  |
@@ -23,24 +31,100 @@ edges
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:145:15:145:16 | *i7 | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:150:9:150:10 | *i8 | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:151:15:151:16 | *i8 | provenance |  |
+| argvLocal.c:96:15:96:21 | *access to array | argvLocal.c:9:25:9:31 | *correct | provenance |  |
+| argvLocal.c:96:15:96:21 | *access to array | argvLocal.c:96:15:96:21 | printWrapper output argument | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:101:9:101:10 | *i1 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:102:15:102:16 | *i1 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:102:15:102:16 | *i1 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:106:9:106:13 | *access to array | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:107:15:107:19 | *access to array | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:107:15:107:19 | *access to array | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:110:9:110:11 | ** ... | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:111:15:111:17 | ** ... | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:116:9:116:10 | *i3 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:117:15:117:16 | *i3 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:117:15:117:16 | *i3 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:121:9:121:10 | *i4 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:122:15:122:16 | *i4 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:122:15:122:16 | *i4 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:127:9:127:10 | *i5 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:128:15:128:16 | *i5 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:128:15:128:16 | *i5 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:131:9:131:14 | *... + ... | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:132:15:132:20 | *... + ... | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:132:15:132:20 | *... + ... | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:135:9:135:12 | *... ++ | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:136:15:136:18 | *-- ... | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:139:9:139:26 | *... ? ... : ... | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:140:15:140:32 | *... ? ... : ... | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:144:9:144:10 | *i7 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:145:15:145:16 | *i7 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:150:9:150:10 | *i8 | provenance |  |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:151:15:151:16 | *i8 | provenance |  |
+| argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:9:25:9:31 | *correct | provenance |  |
+| argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:102:15:102:16 | printWrapper output argument | provenance |  |
+| argvLocal.c:102:15:102:16 | printWrapper output argument | argvLocal.c:144:9:144:10 | *i7 | provenance |  |
+| argvLocal.c:102:15:102:16 | printWrapper output argument | argvLocal.c:145:15:145:16 | *i7 | provenance |  |
+| argvLocal.c:107:15:107:19 | *access to array | argvLocal.c:9:25:9:31 | *correct | provenance |  |
+| argvLocal.c:107:15:107:19 | *access to array | argvLocal.c:107:15:107:19 | printWrapper output argument | provenance |  |
+| argvLocal.c:107:15:107:19 | printWrapper output argument | argvLocal.c:110:9:110:11 | ** ... | provenance |  |
+| argvLocal.c:107:15:107:19 | printWrapper output argument | argvLocal.c:111:15:111:17 | ** ... | provenance |  |
+| argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:9:25:9:31 | *correct | provenance |  |
+| argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:117:15:117:16 | printWrapper output argument | provenance |  |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | *i4 | provenance |  |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | *i4 | provenance |  |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | *i4 | provenance |  |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | *... ++ | provenance |  |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | *-- ... | provenance |  |
+| argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:9:25:9:31 | *correct | provenance |  |
+| argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:122:15:122:16 | printWrapper output argument | provenance |  |
+| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | *... ++ | provenance |  |
+| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | *-- ... | provenance |  |
+| argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:9:25:9:31 | *correct | provenance |  |
+| argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:128:15:128:16 | printWrapper output argument | provenance |  |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | *... + ... | provenance |  |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | *... + ... | provenance |  |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | *... + ... | provenance |  |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:139:9:139:26 | *... ? ... : ... | provenance |  |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:140:15:140:32 | *... ? ... : ... | provenance |  |
+| argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:9:25:9:31 | *correct | provenance |  |
+| argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:132:15:132:20 | printWrapper output argument | provenance |  |
+| argvLocal.c:132:15:132:20 | printWrapper output argument | argvLocal.c:139:9:139:26 | *... ? ... : ... | provenance |  |
+| argvLocal.c:132:15:132:20 | printWrapper output argument | argvLocal.c:140:15:140:32 | *... ? ... : ... | provenance |  |
 nodes
+| argvLocal.c:9:25:9:31 | *correct | semmle.label | *correct |
+| argvLocal.c:9:25:9:31 | *correct | semmle.label | *correct |
 | argvLocal.c:13:27:13:30 | **argv | semmle.label | **argv |
 | argvLocal.c:95:9:95:15 | *access to array | semmle.label | *access to array |
 | argvLocal.c:96:15:96:21 | *access to array | semmle.label | *access to array |
+| argvLocal.c:96:15:96:21 | *access to array | semmle.label | *access to array |
+| argvLocal.c:96:15:96:21 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:101:9:101:10 | *i1 | semmle.label | *i1 |
 | argvLocal.c:102:15:102:16 | *i1 | semmle.label | *i1 |
+| argvLocal.c:102:15:102:16 | *i1 | semmle.label | *i1 |
+| argvLocal.c:102:15:102:16 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:106:9:106:13 | *access to array | semmle.label | *access to array |
 | argvLocal.c:107:15:107:19 | *access to array | semmle.label | *access to array |
+| argvLocal.c:107:15:107:19 | *access to array | semmle.label | *access to array |
+| argvLocal.c:107:15:107:19 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:110:9:110:11 | ** ... | semmle.label | ** ... |
 | argvLocal.c:111:15:111:17 | ** ... | semmle.label | ** ... |
 | argvLocal.c:116:9:116:10 | *i3 | semmle.label | *i3 |
 | argvLocal.c:117:15:117:16 | *i3 | semmle.label | *i3 |
+| argvLocal.c:117:15:117:16 | *i3 | semmle.label | *i3 |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:121:9:121:10 | *i4 | semmle.label | *i4 |
 | argvLocal.c:122:15:122:16 | *i4 | semmle.label | *i4 |
+| argvLocal.c:122:15:122:16 | *i4 | semmle.label | *i4 |
+| argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:127:9:127:10 | *i5 | semmle.label | *i5 |
 | argvLocal.c:128:15:128:16 | *i5 | semmle.label | *i5 |
+| argvLocal.c:128:15:128:16 | *i5 | semmle.label | *i5 |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:131:9:131:14 | *... + ... | semmle.label | *... + ... |
 | argvLocal.c:132:15:132:20 | *... + ... | semmle.label | *... + ... |
+| argvLocal.c:132:15:132:20 | *... + ... | semmle.label | *... + ... |
+| argvLocal.c:132:15:132:20 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:135:9:135:12 | *... ++ | semmle.label | *... ++ |
 | argvLocal.c:136:15:136:18 | *-- ... | semmle.label | *-- ... |
 | argvLocal.c:139:9:139:26 | *... ? ... : ... | semmle.label | *... ? ... : ... |
@@ -50,6 +134,13 @@ nodes
 | argvLocal.c:150:9:150:10 | *i8 | semmle.label | *i8 |
 | argvLocal.c:151:15:151:16 | *i8 | semmle.label | *i8 |
 subpaths
+| argvLocal.c:96:15:96:21 | *access to array | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:96:15:96:21 | printWrapper output argument |
+| argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:102:15:102:16 | printWrapper output argument |
+| argvLocal.c:107:15:107:19 | *access to array | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:107:15:107:19 | printWrapper output argument |
+| argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:117:15:117:16 | printWrapper output argument |
+| argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:122:15:122:16 | printWrapper output argument |
+| argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:128:15:128:16 | printWrapper output argument |
+| argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:132:15:132:20 | printWrapper output argument |
 #select
 | argvLocal.c:95:9:95:15 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
 | argvLocal.c:96:15:96:21 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected

@@ -1,29 +1,46 @@
 edges
 | globalVars.c:8:7:8:10 | **copy | globalVars.c:27:9:27:12 | *copy | provenance |  |
 | globalVars.c:8:7:8:10 | **copy | globalVars.c:30:15:30:18 | *copy | provenance |  |
+| globalVars.c:8:7:8:10 | **copy | globalVars.c:30:15:30:18 | *copy | provenance |  |
 | globalVars.c:8:7:8:10 | **copy | globalVars.c:35:11:35:14 | *copy | provenance |  |
 | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:38:9:38:13 | *copy2 | provenance |  |
 | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:41:15:41:19 | *copy2 | provenance |  |
+| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:41:15:41:19 | *copy2 | provenance |  |
 | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:50:9:50:13 | *copy2 | provenance |  |
 | globalVars.c:11:22:11:25 | **argv | globalVars.c:8:7:8:10 | **copy | provenance |  |
 | globalVars.c:15:21:15:23 | *val | globalVars.c:9:7:9:11 | **copy2 | provenance |  |
+| globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | provenance |  |
 | globalVars.c:23:27:23:30 | **argv | globalVars.c:24:11:24:14 | **argv | provenance |  |
 | globalVars.c:24:11:24:14 | **argv | globalVars.c:11:22:11:25 | **argv | provenance |  |
+| globalVars.c:30:15:30:18 | *copy | globalVars.c:19:25:19:27 | *str | provenance |  |
+| globalVars.c:30:15:30:18 | *copy | globalVars.c:30:15:30:18 | printWrapper output argument | provenance |  |
+| globalVars.c:30:15:30:18 | printWrapper output argument | globalVars.c:35:11:35:14 | *copy | provenance |  |
 | globalVars.c:35:11:35:14 | *copy | globalVars.c:15:21:15:23 | *val | provenance |  |
+| globalVars.c:41:15:41:19 | *copy2 | globalVars.c:19:25:19:27 | *str | provenance |  |
+| globalVars.c:41:15:41:19 | *copy2 | globalVars.c:41:15:41:19 | printWrapper output argument | provenance |  |
+| globalVars.c:41:15:41:19 | printWrapper output argument | globalVars.c:50:9:50:13 | *copy2 | provenance |  |
 nodes
 | globalVars.c:8:7:8:10 | **copy | semmle.label | **copy |
 | globalVars.c:9:7:9:11 | **copy2 | semmle.label | **copy2 |
 | globalVars.c:11:22:11:25 | **argv | semmle.label | **argv |
 | globalVars.c:15:21:15:23 | *val | semmle.label | *val |
+| globalVars.c:19:25:19:27 | *str | semmle.label | *str |
+| globalVars.c:19:25:19:27 | *str | semmle.label | *str |
 | globalVars.c:23:27:23:30 | **argv | semmle.label | **argv |
 | globalVars.c:24:11:24:14 | **argv | semmle.label | **argv |
 | globalVars.c:27:9:27:12 | *copy | semmle.label | *copy |
 | globalVars.c:30:15:30:18 | *copy | semmle.label | *copy |
+| globalVars.c:30:15:30:18 | *copy | semmle.label | *copy |
+| globalVars.c:30:15:30:18 | printWrapper output argument | semmle.label | printWrapper output argument |
 | globalVars.c:35:11:35:14 | *copy | semmle.label | *copy |
 | globalVars.c:38:9:38:13 | *copy2 | semmle.label | *copy2 |
 | globalVars.c:41:15:41:19 | *copy2 | semmle.label | *copy2 |
+| globalVars.c:41:15:41:19 | *copy2 | semmle.label | *copy2 |
+| globalVars.c:41:15:41:19 | printWrapper output argument | semmle.label | printWrapper output argument |
 | globalVars.c:50:9:50:13 | *copy2 | semmle.label | *copy2 |
 subpaths
+| globalVars.c:30:15:30:18 | *copy | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | globalVars.c:30:15:30:18 | printWrapper output argument |
+| globalVars.c:41:15:41:19 | *copy2 | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | globalVars.c:41:15:41:19 | printWrapper output argument |
 #select
 | globalVars.c:27:9:27:12 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:27:9:27:12 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument |
 | globalVars.c:30:15:30:18 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:30:15:30:18 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected

@@ -1,7 +1,6 @@
 edges
 | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | provenance |  |
 | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | *buf | provenance |  |
-| test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | *buf | provenance |  |
 | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | *buffer | provenance |  |
 | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | provenance |  |
 | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | provenance |  |
@@ -17,7 +16,6 @@ nodes
 | test2.cpp:65:31:65:34 | cpy1 | semmle.label | cpy1 |
 | test2.cpp:72:15:72:24 | password | semmle.label | password |
 | test2.cpp:73:30:73:32 | *buf | semmle.label | *buf |
-| test2.cpp:76:30:76:32 | *buf | semmle.label | *buf |
 | test2.cpp:98:45:98:52 | password | semmle.label | password |
 | test2.cpp:99:27:99:32 | *buffer | semmle.label | *buffer |
 | test.cpp:45:9:45:19 | thePassword | semmle.label | thePassword |
@@ -36,7 +34,6 @@ subpaths
 | test2.cpp:57:2:57:8 | call to fprintf | test2.cpp:57:39:57:49 | call to getPassword | test2.cpp:57:39:57:49 | call to getPassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:57:39:57:49 | call to getPassword | this source. |
 | test2.cpp:65:3:65:9 | call to fprintf | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:62:18:62:25 | password | this source. |
 | test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | *buf | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
-| test2.cpp:76:3:76:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | *buf | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
 | test2.cpp:99:3:99:9 | call to fprintf | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | *buffer | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:98:45:98:52 | password | this source. |
 | test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. |
 | test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp

@@ -73,7 +73,7 @@ void tests(FILE *log, myStruct &s)
 		fprintf(log, "buf = %s\n", buf); // BAD
 		
 		strcpy(buf, s.password_hash);
-		fprintf(log, "buf = %s\n", buf); // GOOD [FALSE POSITIVE]
+		fprintf(log, "buf = %s\n", buf); // GOOD
 	}
 
 	{

cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected

@@ -41,11 +41,14 @@ edges
 | tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | *p | provenance |  |
 | tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | *q | provenance |  |
 | tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | *q | provenance |  |
+| tests.cpp:112:39:112:39 | *p | tests.cpp:112:39:112:39 | *p | provenance |  |
 | tests.cpp:112:39:112:39 | *p | tests.cpp:113:2:113:2 | *p | provenance |  |
 | tests.cpp:116:39:116:39 | *p | tests.cpp:117:2:117:2 | *p | provenance |  |
 | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:126:18:126:18 | *q | provenance |  |
 | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:128:18:128:18 | *q | provenance |  |
 | tests.cpp:126:18:126:18 | *q | tests.cpp:112:39:112:39 | *p | provenance |  |
+| tests.cpp:126:18:126:18 | *q | tests.cpp:126:18:126:18 | test10_doParseB output argument | provenance |  |
+| tests.cpp:126:18:126:18 | test10_doParseB output argument | tests.cpp:128:18:128:18 | *q | provenance |  |
 | tests.cpp:128:18:128:18 | *q | tests.cpp:116:39:116:39 | *p | provenance |  |
 nodes
 | tests2.cpp:20:17:20:31 | call to SAXParser | semmle.label | call to SAXParser |
@@ -117,13 +120,16 @@ nodes
 | tests.cpp:100:24:100:44 | call to XercesDOMParser | semmle.label | call to XercesDOMParser |
 | tests.cpp:104:3:104:3 | *q | semmle.label | *q |
 | tests.cpp:112:39:112:39 | *p | semmle.label | *p |
+| tests.cpp:112:39:112:39 | *p | semmle.label | *p |
 | tests.cpp:113:2:113:2 | *p | semmle.label | *p |
 | tests.cpp:116:39:116:39 | *p | semmle.label | *p |
 | tests.cpp:117:2:117:2 | *p | semmle.label | *p |
 | tests.cpp:122:23:122:43 | call to XercesDOMParser | semmle.label | call to XercesDOMParser |
 | tests.cpp:126:18:126:18 | *q | semmle.label | *q |
+| tests.cpp:126:18:126:18 | test10_doParseB output argument | semmle.label | test10_doParseB output argument |
 | tests.cpp:128:18:128:18 | *q | semmle.label | *q |
 subpaths
+| tests.cpp:126:18:126:18 | *q | tests.cpp:112:39:112:39 | *p | tests.cpp:112:39:112:39 | *p | tests.cpp:126:18:126:18 | test10_doParseB output argument |
 #select
 | tests2.cpp:22:2:22:2 | *p | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | call to SAXParser | XML parser |
 | tests2.cpp:37:2:37:2 | *p | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | call to SAXParser | XML parser |